Google’s private browsing doesn’t keep your searches anonymous

New research has found that it doesn’t matter what you do to burst out of Google’s search filter bubble: you can log out of Google, then enter private browsing mode, but those precautions won’t render your search anonymous. Google’s search engine will still tailor results to the personal information the company has on you, including search, browsing and purchase history.

Granted, the research comes from search competitor DuckDuckGo, which draws search results from third-party sites such as Bing, Yahoo and Yandex without tracking you. The research is still eye-opening, though, in spite of DuckDuckGo being a competitor.

In order to test whether a search engine is really profiling you or not, it helps to keep in mind that a search engine that doesn’t profile users should show all users who search at the same time the same search results for a given search term, without tweaking the results based on things like an individual’s previous search history.

Google has claimed to have taken steps to reduce the filter bubble problem – a problem that’s been implicated in influencing US presidential election outcomes both in 2016 and in the 2012 Romney-Obama bout. The thinking is that profiling search users and feeding them tailored search results essentially surrounds them with a walled garden of information they already agree with, thereby silencing new information or differing opinions.

But in spite of Google’s steps to pop the bubble, it’s still showing users nonidentical search results even when they’re in private browsing mode, signed out of Google services.

DuckDuckGo studied a group of individuals who entered identical search terms at the same time. What it found:

  1. Most participants saw results unique to them. These discrepancies could not be explained by changes in location, time, by being logged in to Google, or by Google testing algorithm changes to a small subset of users.
  2. On the first page of search results, Google included links for some participants that it did not include for others, even when logged out and in private browsing mode.
  3. Results within the news and videos infoboxes also varied significantly. Even though people searched at the same time, people were shown different sources, even after accounting for location.
  4. Private browsing mode and being logged out of Google offered very little filter bubble protection. These tactics simply do not provide the anonymity most people expect.

The methodology: DuckDuckGo asked volunteers in the US to search for the terms “gun control”, “immigration”, and “vaccinations” (in that order) at the same time on 24 June. First, they searched in private browsing mode, while logged out of Google. Then, they repeated the searches in normal, non-private mode. Then, DuckDuckGo restricted results analysis to top-level domains. For example, and would both be treated as just

The results: some volunteers saw domains that nobody else did. The domains weren’t ordered consistently, either: in fact, the 19 domains returned for the “gun control” search were ordered in 31 different ways. Order of results is a significant factor, given the rapid fall-off of click-throughs corresponding to the order of links: link #1 gets ~40% of clicks, link #2 ~20%, link #3 ~10%, etc.

Given that the volunteers all searched at the same time, the variations aren’t attributable to people searching at different times and seeing different, time-shifting news results. Nor should the volunteers’ locations matter, given that DuckDuckGo changed all local links to be the same.

It didn’t matter whether volunteers were logged out of Google and in private browsing mode: the variations were about the same as in normal search mode.

It is, in fact, a misconception that “going incognito” provides anonymity, DuckDuckGo notes, given that websites use IP addresses and browser fingerprinting to identify people regardless of those steps. And as we’ve noted before, browsers have to temporarily store data from main memory in secondary processor caches and swap files squirrelled away in corners of the hard drives and OS-managed DNS caches, which is a lot to keep track of and means that forensics tools can often find wisps of data if they know where to look.

If you want to dig down into the data further, DuckDuckGo has made it available in two parts: Basic non-identifiable participant data, and raw data from the search results.

The code that DuckDuckGo wrote to analyze the data is open source and available on its GitHub repository.

If you want to read up on more options for bursting the filter bubble, you might want to take a look at this write-up we did last year about a self-hosted search option called Searx: an engine that submits searches without cookies or identifying information, meaning that the engines – including Google – don’t know anything about who’s searching.

As Naked Security’s Danny Bradbury notes in that article, there are multiple alternatives to Google: besides DuckDuckGo or Searx, there’s also Startpage, which also serves as something of a proxy for Google, in addition to Disconnect, which offers private search as part of its broader privacy protection and tracker blocking service.

Readers, what are you searching with, and how do you like it? Let us know in the comments below.

Update. A Google spokesperson contacted us to say, “This study’s methodology and conclusions are flawed since they are based on the assumption that any difference in search results are based on personalization. That is simply not true. In fact, there are a number of factors that can lead to slight differences, including time and location, which this study doesn’t appear to have controlled for effectively.” [Added 2018-12-06T23:10Z]